Unraid OS version 6.10.2 available


Recommended Posts

This release contains Security fixes, a Data Corruption mitigation, bug fixes and other minor improvements.

 

To upgrade:

  • First create a backup of your USB flash boot device: Main/Flash/Flash Backup
  • If you are running any 6.4 or later release, click 'Check for Updates' on the Tools/Update OS page.
  • If you are running a pre-6.4 release, click 'Check for Updates' on the Plugins page.
  • If the above doesn't work, navigate to Plugins/Install Plugin, select/copy/paste this plugin URL and click Install:
    https://unraid-dl.sfo2.cdn.digitaloceanspaces.com/stable/unRAIDServer.plg

     

 

Bugs: If you discover a bug or other issue in this release, please open a Stable Releases Bug Report.

 

Thank you to all Moderators, Community Developers and Community Members for reporting bugs, providing information and posting workarounds.

 

Please remember to make a flash backup!

 

Data Corruption possible with tg3 driver when Intel VT-d is enabled.

The combination of Linux 5.15 kernel, tg3 driver, and Intel VT-d enabled appears to be causing data corruption.  This has been verified on several platforms which include a Broadcom NetXtreme Gigabit Ethernet NIC (note: there may be others).  This release includes the following workaround:

 

Very early in server startup (rc.S) if Intel VT-d is detected enabled, then the script will unconditionally create the file:

 /etc/modprobe.d/tg3.conf

with following content:

blacklist tg3

Hence by default if VT-d is enabled, which is to say, it has not been disabled in either bios or via kernel "intel_iommu=off", then we are going to blacklist the tg3 driver on all platforms.

What if someone has a platform where tg3 does not give them any trouble with VT-d enabled? In this case they must create an empty file on their flash device:

config/modprobe.d/tg3.conf

When the startup sequence continues it will get to the point where it executes:

install -p -m 0644 /boot/config/modprobe.d/* /etc/modprobe.d

A blank tg3.conf file stored on the flash then effectively un-blacklists it.

There will be users who will lose network connectivity because their NIC is blacklisted. If you are running on a problematic platform you should go into your bios and disable VT-d. If this is a platform without issue, then you will need to create the blank tg3.conf file on your flash config/modprobe.d directory.

It may take some time to identify and integrate a proper fix for this issue, at which point we will remove the auto-blacklisting code.  I want to thank @JorgeB for his incredible help in identifying and isolating this issue.

 

Security-related Changes

  • The Firefox browser and has been updated to version 100.0.2 to address a very nasty security vulnerability.  If you use Firefox we also suggest upgrading on all platforms.
  • We fixed an issue where webGUI login could accept a password from a user other than 'root', if that username included the string 'root'.
  • The Linux kernel was updated to 5.15.43 to address a "security bypass" vulnerability.

 

Other Changes

  • On Management Access page, for the "Use SSL/TLS" setting we changed the word "Auto" to "Strict" in the drop-down menu.  This better describes the action of this setting.
  • Docker manager now uses Docker label for icons as fallback.
  • VM manager now gives the option of using LibVirt networks in addition to bridges without having to edit the VM's XML.
  • Improved handling of custom SSL certificates.
  • [6.10.1] Fix regression: support USB flash boot from other than partition 1
  • other misc. bug fixes

 


Version 6.10.2 2022-05-27

Base distro:

  • firefox AppImage: version: 100.0.r20220519220738 (CVE-2022-1802 CVE-2022-1529)

Linux kernel:

  • version 5.15.43-Unraid (CVE-2022-21499)

Management:

  • nginx: avoid appending default port number to redirect URLs
  • nginx: self-signed cert file: accept common name and all alternate names
  • startup: fix multiple network interfaces being assigned the same MAC address
  • startup: blacklist tg3 by default if Intel VT-d is enabled
  • webgui: Management Access: Use SSL/TLS setting: change the word 'Auto' to 'Strict'
  • webgui: Fixed: smGlue not included when selecting a controller
  • webgui: Fixed: allow share names with embedded ampersand
  • webgui: add LXC terminal support (for LXC Plugin)
  • webgui: Docker Web UI to use Docker label for icons as fallback
  • webgui: VM Manager: support libvirt networks (make libvirt networks accessible via gui)
  • webgui: fix issue where 'root' login works with password from another username which includes string 'root'
  • webgui: Update OS page spelling corrction: warninging -> warning
  • webgui: helptext review: minor corrections

Version 6.10.1 2022-05-21

Management:

  • startup: fix regression: support USB flash boot from other than partition 1
  • Like 2
  • Thanks 4
  • Upvote 1
Link to comment
Quote

webgui: fix issue where 'root' login works with password from another username which includes string 'root'

How long has that been insecure?

Also how was that not caught by unit tests? "Login doesn't accept trailing characters" is a pretty rudimentary test case for a security system.

Link to comment
3 minutes ago, limetech said:

 

Does it use 'tg3' driver?

No, it appears not

 

“lsmod | grep tg3” says no

 

but having changed the IOMMU thing how do you recommend I proceed? Leave or remove that startup change? If it turns Intel IOMMU on but the changes turn it off will their be conflict?

 

see attached pic 

DD8A6413-AA71-458B-BD31-F147EEE5B453.png

Edited by blaine07
Link to comment
2 hours ago, handspiker2 said:

How long has that been insecure?

Also how was that not caught by unit tests? "Login doesn't accept trailing characters" is a pretty rudimentary test case for a security system.

 

Issue was introduced at the beginning of 6.10-rc series when we introduced code to require a root password and add brute-force mitigations.  Does not have to do with sanitizing input from a form but rather server-side extraction of the record from /etc/shadow file.  You can examine the one-line fix here.

Link to comment
8 minutes ago, blaine07 said:

“lsmod | grep tg3” says no

 

but having changed the IOMMU thing how do you recommend I proceed? Leave or remove that startup change? If it turns Intel IOMMU on but the changes turn it off will their be conflict?

 

By "change" if you mean code added in this release to blacklist 'tg3' - it does not enable/disable Intel IOMMU.  It detects if Intel VT-d is enabled, and if so, auto-blacklists 'tg3' - that' s it.

 

I think the issue you are referring to is unrelated.  Can't remember atm, but isn't this issue with older Dell's? Older platforms, such as GEN8 Microservers have buggy bios which does not reset/virtualization correctly and manufacturers have no appetite to go fix.

Link to comment
3 minutes ago, limetech said:

 

By "change" if you mean code added in this release to blacklist 'tg3' - it does not enable/disable Intel IOMMU.  It detects if Intel VT-d is enabled, and if so, auto-blacklists 'tg3' - that' s it.

 

I think the issue you are referring to is unrelated.  Can't remember atm, but isn't this issue with older Dell's? Older platforms, such as GEN8 Microservers have buggy bios which does not reset/virtualization correctly and manufacturers have no appetite to go fix.

Sorry, on the tg3 I didn’t really understand. Ultimately just trying to determine it is safe for me to upgrade. Can rollback if necessary so no harm no foul. 
 

Yes, the BZROOTIMG thing is related to older-ish Dells. First I’ve heard about not resetting virtualization correctly though so not sure there?? 🤔
 

Thank you for the insight; thank you for your time to help me understand a little bit here. 
 

Thanks! 

Link to comment
17 minutes ago, limetech said:

 

Issue was introduced at the beginning of 6.10-rc series when we introduced code to require a root password and add brute-force mitigations.  Does not have to do with sanitizing input from a form but rather server-side extraction of the record from /etc/shadow file.  You can examine the one-line fix here.

Oh, that's not too bad!

also TIL: the webgui has a public github!

  • Haha 1
Link to comment
6 hours ago, blaine07 said:

Post says “Broadcom NetXtreme Gigabit Ethernet NIC (note: there may be others).” are affected but what about “NetXtreme II”? Would they be affected?

 

Different driver:

01:00.0 Ethernet controller [0200]: Broadcom Inc. and subsidiaries NetXtreme II BCM5709 Gigabit Ethernet [14e4:1639] (rev 20)
    DeviceName: Embedded NIC 1                          
    Subsystem: Dell PowerEdge T610 BCM5709 Gigabit Ethernet [1028:0237]
    Kernel driver in use: bnx2
    Kernel modules: bnx2

 

As far as we know, not affected, so far all affected servers I found, about 10 in total, were using a NIC with the tg3 driver and that appears to be the only thing they had in common.

  • Like 1
  • Thanks 1
Link to comment

***Data Corruption possible with tg3 driver when Intel VT-d is enabled.***

 

Cloud this not have been mentioned in the changelog as a warning?

Or noted more clearly on there?

Not everyone goes to the forum prior to updating!
I did read the Change log, but there is no mention of this in the Change log which is shown on the server!
And as I am not reading the Beta forum every day:

 

I have a HP MicroServer Gen 8 with a E3-1265LV2, and had a very nasty suprise of a server which was unreachable with the error "ETH0 Not found".

Edited by PaulV86
  • Upvote 4
Link to comment

I have just updated from v6.10.0 to v6.10.2 and now I can't remotely connect to the server, I also have a HP MicroServer Gen8 with a E3-1265LV2

 

Connecting up a monitor locally I see the following messages on bootup

 

Starting mcelog daemon: /usr/sbin/mcelog --daemon

Device "eth0" does not exist

Cannot find device "eth0"

 

I'm unclear how to get the system back up an running, any help appreciated

 

Thanks

Link to comment
1 minute ago, Oceanic said:

I'm unclear how to get the system back up an running, any help appreciated

It's in the release notes, since that server is known to have issues with vt-d enable you should disable it, you can do that in the BIOS or by adding 'intel_iommu=off' to syslinux.cfg

Link to comment

Thanks JorgeB

 

For people who are fairly new to this (like me), here are the instructions on how to fix this on a HP MicroServer Gen 8 with a E3-1265LV2

 

Reboot the server

During bootup press F9 to enter the bios.

Once the bios is loaded enter the menu System Options -> Processor Options -> Intel(R) VT-d

Set it to disabled

Press Esc to get to the top menu again

Press F10 to exit the bios and save

 

The server should now boot again as normal

 

  • Like 5
  • Thanks 1
Link to comment
2 hours ago, Oceanic said:

Thanks JorgeB

 

For people who are fairly new to this (like me), here are the instructions on how to fix this on a HP MicroServer Gen 8 with a E3-1265LV2

 

Reboot the server

During bootup press F9 to enter the bios.

Once the bios is loaded enter the menu System Options -> Processor Options -> Intel(R) VT-d

Set it to disabled

Press Esc to get to the top menu again

Press F10 to exit the bios and save

 

The server should now boot again as normal

 

 

Thanks for the instructions!  Added to release notes:

https://wiki.unraid.net/Unraid_OS_6.10.2#How_to_Disable_Intel_VT-d_on_HP_MicroServer_Gen_8_with_a_E3-1265LV2

  • Like 1
Link to comment

I am getting following error when update from 6.9.2

 

plugin: updating: unRAIDServer.plg
plugin: downloading: https://unraid-dl.sfo2.cdn.digitaloceanspaces.com/stable/unRAIDServer-6.10.2-x86_64.zip ... failed (Network failure)
plugin: https://unraid-dl.sfo2.cdn.digitaloceanspaces.com/stable/unRAIDServer-6.10.2-x86_64.zip download failure (Network failure)

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.